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This listing of claims will replace all prior versions and listings of claims in this 

application: 

a.) Listing of Claims 



1 . (Currently amended) A system for controlling communications over a 
computer network, the system comprising: 

access control devices for the computer network that control communications 

between compartments of the computer network; 
attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to allow network 
communications between the compartments of the computer network 
based on a usage model describing legitimate network communications 
while restricting other network communications between the 
compartments, in response to attack 

2. (Original) A system as claimed in claim 1, wherein the computer network is 
an enterprise network. 

3. (Original) A system as claimed in claim 1, wherein the computer network is a 
service provider network. 

4. (Original) A system as claimed in claim 1, wherein the computer network is a 
public network. 

5. (Original) A system as claimed in claim 1, wherein the access control devices 
compartmentalize the computer network into separate sub-networks of network 
devices. 

6. (Original) A system as claimed in claim 1, wherein the access control devices 
separate host computers from the computer network. 
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7. (Original) A system as claimed in claim 1, further comprising a network 
modeling system for generating the usage model. 

8. (Original) A system as claimed in claim 7, wherein the network modeling 
system receives flow information describing communications between network 
devices. 

9. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by network communications devices. 

10. (Original) A system as claimed in claim 8, wherein the flow information is 
collected by the access control devices. 

1 1 . (Original) A system as claimed in claim 8, wherein the network modeling 
system discards flow information between network devices in the computer 
network and network devices external to the computer network. 

12. (Original) A system as claimed in claim 7, wherein the network modeling 
system compares new network communications to the usage model and updates 
the usage model if the new network communications are not described by the 
usage model. 

13. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications. 

14. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
destination ports derived from the network communications in addition to time 
stamp information indicating when the network communication was last detected. 

15. (Original) A system as claimed in claim 1, wherein entries in the usage 
model comprise source addresses, destination addresses, source ports, and 
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destination ports derived from the network communications in addition to 
frequency information indicating a frequency of the network communication. 

16. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack using 
signature detection. 

17. (Original) A system as claimed in claim 1, wherein the attack detection 
system performs heuristic modeling to determine whether the computer network 
is under attack. 

18. (Original) A system as claimed in claim 1, wherein the attack detection 
system monitors communications over the computer network for attack by 
monitoring changes in connections between network devices. 

19. (Original) A system as claimed in claim 1 , wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass and/or blocking rules for the access control devices. 

20. (Original) A system as claimed in claim 1, wherein the control plane receives 
protocol information and/or port information characteristic of the attack and 
generates pass rules and blocking rules for the access control devices, in which 
the pass rules are generated from the usage model and the blocking rules are 
generated from the protocol information and/or port information characteristic of 
the attack. 

21 . (Currently amended) A method for responding to an attack on a computer 
network, the method comprising: 

generating a usage model for the computer network; 

determining whether the computer network may be under attack; 

in response to detecting attack, determining characteristics of the attack; and 

generating instructions to access control devices compartmentalizing the 

computer network in response to the characteristics of the attack, wherein 
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the step of generating instructions to the access control devices comprises 

formulating pass and/or blocking rules for the access control devices in 
response to protocol characteristics and/or port characteristic of the attack; 
issuing the instructions to the access control device which then 

compartmentalize the computer network by implementing the pass and/or 
blocking rules . 

22. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications to 
and from network devices on the computer network. 

23. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records describing network communications 
between network devices on the computer network. 

24. (Original) A method as claimed in claim 21, wherein the step of generating 
the usage model comprises saving records that include port, protocol, source 
address and destination address of network communications to and from network 
devices on the computer network. 

25. (Original) A method as claimed in claim 2 1 , further comprising the step of 
the access confrol device compartmentalizing the computer network into separate 
sub-networks of network devices. 

26. (Original) A method as claimed in claim 21, further comprising the step of 
the access control device compartmentalizing the computer network by separating 
host computers from the computer network. 

27. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises: 

collecting flow information at network communications devices; and 
passing the flow information to a network modeling system. 
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28. (Original) A method as claimed in claim 27, wherein the step of collecting 
flow information is performed by the access control devices. 

29. (Original) A method as claimed in claim 21, wherein the step of generating a 
usage model comprises comparing network communications to the usage model 
and updating the usage model if the network communications are not described by 
the usage model. 

30. (Original) A method as claimed in claim 21, wherein the step of determining 

whether the computer network may be under attack comprises monitoring 
network communications for attack signatures. 

3 1 . (Original) A method as claimed in claim 2 1 , wherein the step of determining 
whether the computer network may be under attack comprises performing 
heuristic modeling to determine whether the computer network is under attack. 

32. (Original) A method as claimed in claim 21, wherein the step of determining 
whether the computer network may be under attack comprises monitoring 
changes in connections between network devices. 

33. (Cancelled) 

34. (Currently amended) A method as claimed in claim 21, wherein the step of 
generating instructions to the access control devices comprises formulating 
generating pass rules and blocking rules for the access control devices, in which 
the pass rules are generated from the usage model and the blocking rules are 
generated from protocol and/or port characteristics of the attack. 

35. (New) A system for confroUing communications over a computer network, 
the system comprising: 

access confrol devices for the computer network that confrol communications 
between compartments of the computer network; 



6of 11 



Application No.: 10/684,964 
Amendment dated: September 6, 2007 
Reply to Office Action of AprU 6, 2007 
Attorney Docket No.: 0016.0011 

attack detection system for determining whether the computer network may be 

under attack; and 

a control plane for instructing the access control devices to only allow network 
communications between the host computers in different compartments of 
the computer network based on a usage model describing legitimate 
network communications while restricting all other network 
communications between the host computers, in response to attack. 
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